Merge pull request #348 from xmidt-org/fail-open

updated primaryHandler and talaria config to include a check for fail open
xmidt-org · Oct 26, 2023 · da5eb08 · da5eb08
2 parents be9d985 + 593f2f2
commit da5eb08
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 14 deletions.
diff --git a/primaryHandler.go b/primaryHandler.go
@@ -79,6 +79,10 @@ const (
 	// RehasherServicesConfigKey is the path to the services for whose events talaria's
 	// rehasher should listen to.
 	RehasherServicesConfigKey = "device.rehasher.services"
+
+	// FailOpenConfigKey is the path to the fail open boolean which will determine
+	// which route to take when a device tries to connect to talaria
+	FailOpenConfigKey = "failOpen"
 )
 
 // NoOpConstructor provides a transparent way for constructors that make up
@@ -314,20 +318,41 @@ func NewPrimaryHandler(logger *zap.Logger, manager device.Manager, v *viper.Vipe
 	}
 
 	// the secured variant of the device connect handler - compatible with v2 and v3
-	r.Handle(
-		fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
-		deviceConnectChain.
-			Extend(versionCompatibleAuth).
-			Append(DeviceMetadataMiddleware(getLogger)).
-			Then(connectHandler),
-	).HeadersRegexp("Authorization", ".*")
-
-	r.Handle(
-		fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
-		deviceConnectChain.
-			Append(DeviceMetadataMiddleware(getLogger)).
-			Then(connectHandler),
-	)
+	// default functionality is to allow for talaria to accept devices with or without authorization
+	// failOpen must be set to false in config in order to require authorization from any device trying to connect
+	failOpen := true
+	if v.IsSet(FailOpenConfigKey) {
+		err := v.UnmarshalKey(FailOpenConfigKey, &failOpen)
+		if err != nil {
+			logger.Error("failOpen parse failure", zap.Error(err))
+			return nil, errors.New("failed parsing FailOpen boolean")
+
+		}
+	}
+	if failOpen {
+		r.Handle(
+			fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
+			deviceConnectChain.
+				Extend(versionCompatibleAuth).
+				Append(DeviceMetadataMiddleware(getLogger)).
+				Then(connectHandler),
+		).HeadersRegexp("Authorization", ".*")
+
+		r.Handle(
+			fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
+			deviceConnectChain.
+				Append(DeviceMetadataMiddleware(getLogger)).
+				Then(connectHandler),
+		)
+	} else {
+		r.Handle(
+			fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
+			deviceConnectChain.
+				Extend(versionCompatibleAuth).
+				Append(DeviceMetadataMiddleware(getLogger)).
+				Then(connectHandler),
+		)
+	}
 
 	apiHandler.Handle(
 		"/device/{deviceID}/stat",

diff --git a/talaria.yaml b/talaria.yaml
@@ -633,3 +633,7 @@ zap:
   # "console", as well as any third-party encodings registered via
   # RegisterEncoder.
   encoding: json
+
+#(Optional) failOpen determines if talaria should allow devices without authentication to connect or not
+#default is to allow for fail open
+failOpen: true